Under what circumstances should sendmail have a feature allowing it to automatically forward messages to everyone in/etc/aliases?
It shouldn't. But it's possible for a program to read/etc/aliases and then send e-mail itself to everyone in there. This is what's happening with ILOVEYOU: users are manually running an executable which then has the same privileges as the user (full privileges on Win98) and uses those privileges to read the user's address book and send e-mail.
Allowing programs that you run to read your address book is hardly a security hole -- the same is possible on unix. (The API to read the address book isn't quite as straightforward, but a program can easily read the text file that contains the addresses.)
You're right: programs should not be run automatically by receiving an e-mail. Outlook doesn't do this. It never has. Users have to run the attachment manually! Saying that it runs things without asking is a complete myth, Microsoft-like FUD.
Second, even if Win98 did have permissions (Win2000 does), think of what the virus does: it reads your address book, sends e-mail, and deletes/modifies some of your personal documents. Wouldn't all this be possible from a user account?
That other user is wrong. Please see my response to the comment you linked to. With default settings, on Outlook Express 5.0, all of these things happen. Outlook CANNOT be configured to automatically run attached scripts. I have used Outlook myself and have supported users who do, and I guarantee that it is not designed to run scripts automatically.
It's true that with default Windows settings the.vbs extension is hidden. But in that case, the.txt won't be misleading, as users won't have seen any extensions on text files -- users will use the icons to see the nature of a file, and the ILOVEYOU file will be displayed with a VBScript icon. And users will still be warned that the file may contain a virus.
Running scripts automatically would be analogous not only to leaving the gas cap off of a tank but to storing an explosive in the trunk. And if Outlook did run system scripts automatically, then it would be a serious security problem. But it doesn't, and the gas tank has a cap screwed on fairly tightly.
Nice analogy, but how exactly does it compare to Outlook?
Allowing executable files to read address books and send e-mail is hardly a security hole, it's a necessary feature. In this case, it's impossible for a "malicious hacker" to simply toss in a match: users have to receive the matchbox, open the matchbox, be warned by their gas tank that the matchbox may contain a virus, and then finally choose to ignore the warning and light the match themselves.
I am no great Microsoft fan. I don't despise them either. I do, however, know most of the facts in this case, and 99% of the Microsoft-bashing here is unwarranted.
First, some facts about what Outlook does. It does not claim that the file is a text file; it is displayed with the VBScript icon, and depending on system configuration, a.vbs extension. It does not run the file automatically -- users have to manually run the attachment. Even after clicking on the attachment, by default Outlook warns users that it may be a virus and the default option is to save the file, not to run it.
So, in order to be infected, users have to read the e-mail message, click on the paperclip icon to open attachments, click on the file which has a VBScript icon and usually a.vbs extension, then click "Open this" on a dialog box that warns them that the file may contain a virus. This hardly sounds like a security hole to me; it sounds like stupid users. It is basically impossible to run the virus accidentally.
The other criticism that's heard often is that users having full, root-like control is the problem. (This isn't the case in Windows 2000, by the way.) Yes, Win98 sucks, and yes, this may be a security problem, but it is completely irrelevant in this case. The virus reads your address book, sends several e-mails, then deletes certain files in the user's document directory. None of these actions would require root privileges on a system that implements them. (The virus also attempts to obtain system passwords, but this is not the part of the virus that is causing damage -- nobody has been affected by the virus obtaining passwords.)
Most of the MS bashing here is grounded in imaginary security holes. I'm not a great MS fan, and I hate Win98 as much as anyone, but if you want to criticize them, don't lie. What's being said here is worse than the stuff that Microsoft says about Linux -- at least that stuff is based at some point on facts or semi-facts.
I don't know what you saw happen, but it wasn't that.
Outlook (when I say Outlook, I'm referring to Outlook Express 5.0, the most commonly used version and the one I have experience with) does not run this virus automatically. It cannot be made to run this virus automatically.
It DOES run embedded scripts by default, but so does any modern graphical web browser. Outlook runs embedded scripts in a secure sandbox -- they are NOT allowed to read/write files, send e-mail, etc. The ILOVEYOU virus is not an embedded script, it's an external script, analogous to a.pl Perl script.
So, to repeat again: it is NOT RUN AUTOMATICALLY. As someone said above, the only common e-mail client that can be configured to auto-execute system scripts is GNU Emacs.
This is not trolling -- this is the complete truth. And, by the way, how did a short message with no facts that was completely incorrect get moderated to +5? People really do hear what they want to hear.
No, it doesn't erase files without prompting from Outlook. I haven't looked at the virus' code, but I would guess that this is what happened to you:
- You clicked on it in Eudora. This runs it. - The script executed. - One of the things the script does is to read your Outlook address book and to send e-mail via Outlook. In order to do this, it makes sure that Outlook is open. - Even though you closed Outlook, the script wasn't running via Outlook, and so continued to run.
.vbs files, like this, don't run via Outlook, they run via the Windows Scripting Host. Outlook only opened because the script opened it.
VBS is not included in Outlook -- it is a system scripting language. The closest thing to it in the unix world is Perl. Perl can directly modify files on the hard drive, and it wouldn't be too difficult to write a Perl script to get someone's e-mail address book (for a particular e-mail client).
Yes, and these reports are FALSE! The attachment does not run itself automatically, no matter what your setup. IT DOES NOT RUN AUTOMATICALLY. USERS HAVE TO OPEN IT. Do I need to say this 10,000 more times?
How about you show me a Windows client that does this first? Outlook sure doesn't.
1) It does not say "this is a text file". It displays it with the "script file" icon, not the "text file" icon, and unless you have the display extensions setting off, shows you the.vbs extension.
2) Once you click on it, it pops up a warning that says "this file may contain a virus"! If you then manually select the "Yes, run it" option (the default is to save to disk), then yes, it will run it, but the user is given large amounts of warning first.
Considering that a battery of highly trained, ravenous lawyers looks over every legal document that Microsoft produces, I'd guess the GPL. Actually, I'd say neither, but I wasn't given that choice.
Fine. But my point is that with normal copyright, I can distribute works that rely on someone else's shared library.
No you can't -- unless given permission to distribute something, copyright does not allow you to distribute it, incorporate it into another program, whatever. You can't take a.dll (dynamic library) from a commercial Windows program, include it in your program, and then distribute that program.
Yep, that's me, obviously fucking insane because I give a shit about the planet I leave behind.
Actually, no. Nobody said that. The post you're replying to accused you of being a kook not for recycling and/or driving a small car, but for taking the dictatorial, absolute position that your ideology is Right and that everyone else is Wrong. Your post was an angry rebuttal to an argument that was never put forward.
I am not a fan of corporate advertising and the culture that goes along with it.
So?
It is difficult for anyone to say that they oppose freedom, that they are for a homegenous, restrictive society. But the weak link here is what's linking freedom to free software.
Or, to be more specific: exactly HOW does not allowing others to profit from the software that I have spent months writing lead to the world not being able to choose between smooth and extra-crunchy?
These days, almost everything is being defended with passionate calls to freedom, democracy, rights, and so on. This is because no one can disagree with it; it's the old "Do you enjoy killing small, vulnerable babies? Well then, you obviously must be a member of the Church of Eckankar!" trick.
Saying "Well, if freedom's crazy, then I guess I'm a nutcase!" is empty Hollywoodish rhetoric. Nobody is chanting "Down with freedom!" in the streets. If you want to make a good argument, tell us in excruciating detail exactly HOW our freedom is being destroyed.
Until then, I will not consider the release of binaries equivalent to killing small, and surprisingly cute, babies. And, though I don't want a global corporate police state, nobody has yet given me a good reason why not waving pages of source code in the streets will cause this.
America is historically the most generous country in the world? Out of interest, where the hell are you getting your information?
The United States' per-capita foreign aid is extremely low, lower than just about every Western European country. (At least, according to the numbers I have from 1994.)
I'm not a rabid America-basher, but foreign aid is certainly not one of America's specialties.
Other people can downloaded MP3s from directories you've opened to Napster, yes, but you're in no way forced to use Napster or to put copyrighted files in your download directories. You are running a server which allows other people to download these files -- you're making them available.
Analogy: you have marijuana used for medical purposes. (This is the best example I could come up with of something that's legal for you to have but illegal for others.) If someone sneaks into your house and steals some, you've done nothing illegal. If, however, you keep it in a large bowl in front of your house beneath a sign that says "Take Some", then that is illegal.
So if someone accesses your MP3s via a security hole in your FTP client, you're fine, as you weren't deliberately making those available. If, however, you run a server which is designed to allow people to download MP3s from you, and you have the ability to not allow people to download your copyrighted MP3s but don't do so, then you're not find, as you are deliberately distributing something illegal.
I didn't think it was unlikely -- it was a (slightly exxagerated) real example. In Canada, they're the Natural Law Party, and I think they're a branch of some international group.
They had some (unintentionally) very funny TV commercials during the last election here.
There's a pretty large difference between not finding something and having it forcibly blocked from you. Because this article was about politics, I'll use that as an example: if you start a new political party which has, as a platform, curing society via yogic bouncing, it's not going to get much coverage in large newspapers. Nobody would expect it to. But, provided that it meets the requirements for entering candidates, it's not going to be banned based on its views.
True, 99% of the population will never hear of this party. Does that mean that it should be banned? Certainly not. Anyway, in this case, we're not even dealing with missing small, insignificant sites: we're dealing with missing the Democratic Party.
I doubt that there really IS a conservative bias -- I think it's just one more symptom of the incompleteness and idiocy of filtering lists. In fact, to support its point, CNET brings up such examples as AOL filtering out that great bastion of liberalism, Ross Perot's Reform Party.
Any list which attempts to include every site on the Internet that's safe for children will necessarily miss huge numbers of sites. In this case, CNET (The Home Of Accurate, Unbiased Reporting TM) has taken some selective examples of blocked sites and attempted to have those indicate some kind of political agenda.
They've also tried to find some other examples of problems with AOL's system, like the browser keeping a cache of visited sites. (They do admit that it can be turned off by "sophisticated, advanced" users.) Wow! A cache! What a concept! Admittedly, clicking Back then Forward to allow access to sites in the cache is a bit stupid, but still, IE (which AOL uses) allows you to view cached sites very easily. And then they bring in the gaping hole of a history file stored in PLAIN TEXT. Obviously, this is something that every modern browser does. And by the way, CNET considers viewing the contents of a text file stuck in a program directory "child's play", but turning off or viewing a disk cache is "advanced" and "sophisticated".
Don't you love clear, objective, unbiased reporting? What's worse is that AOL's filters are inherently stupid -- a blacklist will always allow access to tons of sites it shouldn't, and a whitelist will always block access to tons of sites it shouldn't. Focus on the basic problems with the concept, not some made-up and easily-fixed surface mistakes: that's the only way to actually fight these things.
If man is inherently good... If man is inherently evil...
Hmm... how about none of the above? There is no such thing as "man", a creature which always has the same characteristics. Some people are good. Some people are greedy. Some people are evil. Some people are good, but for some unfathomable reason like mayonnaise.
Humans are not identical. Not everyone can regulate their own activities. Some can be trusted in positions of power. Anarchy might work with robots; it doesn't work with humans.
Slashdot Mirror
It shouldn't. But it's possible for a program to read /etc/aliases and then send e-mail itself to everyone in there. This is what's happening with ILOVEYOU: users are manually running an executable which then has the same privileges as the user (full privileges on Win98) and uses those privileges to read the user's address book and send e-mail.
Allowing programs that you run to read your address book is hardly a security hole -- the same is possible on unix. (The API to read the address book isn't quite as straightforward, but a program can easily read the text file that contains the addresses.)
Second, even if Win98 did have permissions (Win2000 does), think of what the virus does: it reads your address book, sends e-mail, and deletes/modifies some of your personal documents. Wouldn't all this be possible from a user account?
That other user is wrong. Please see my response to the comment you linked to. With default settings, on Outlook Express 5.0, all of these things happen. Outlook CANNOT be configured to automatically run attached scripts. I have used Outlook myself and have supported users who do, and I guarantee that it is not designed to run scripts automatically.
.vbs extension is hidden. But in that case, the .txt won't be misleading, as users won't have seen any extensions on text files -- users will use the icons to see the nature of a file, and the ILOVEYOU file will be displayed with a VBScript icon. And users will still be warned that the file may contain a virus.
It's true that with default Windows settings the
Running scripts automatically would be analogous not only to leaving the gas cap off of a tank but to storing an explosive in the trunk. And if Outlook did run system scripts automatically, then it would be a serious security problem. But it doesn't, and the gas tank has a cap screwed on fairly tightly.
Neither do I. And Outlook doesn't automatically run this virus either, as I've already said way too many times. Users have to open it manually.
Nice analogy, but how exactly does it compare to Outlook?
Allowing executable files to read address books and send e-mail is hardly a security hole, it's a necessary feature. In this case, it's impossible for a "malicious hacker" to simply toss in a match: users have to receive the matchbox, open the matchbox, be warned by their gas tank that the matchbox may contain a virus, and then finally choose to ignore the warning and light the match themselves.
Wrong. Not true. Does not run through the preview panel -- has to be run manually.
I am no great Microsoft fan. I don't despise them either. I do, however, know most of the facts in this case, and 99% of the Microsoft-bashing here is unwarranted.
First, some facts about what Outlook does. It does not claim that the file is a text file; it is displayed with the VBScript icon, and depending on system configuration, a .vbs extension. It does not run the file automatically -- users have to manually run the attachment. Even after clicking on the attachment, by default Outlook warns users that it may be a virus and the default option is to save the file, not to run it.
So, in order to be infected, users have to read the e-mail message, click on the paperclip icon to open attachments, click on the file which has a VBScript icon and usually a .vbs extension, then click "Open this" on a dialog box that warns them that the file may contain a virus. This hardly sounds like a security hole to me; it sounds like stupid users. It is basically impossible to run the virus accidentally.
The other criticism that's heard often is that users having full, root-like control is the problem. (This isn't the case in Windows 2000, by the way.) Yes, Win98 sucks, and yes, this may be a security problem, but it is completely irrelevant in this case. The virus reads your address book, sends several e-mails, then deletes certain files in the user's document directory. None of these actions would require root privileges on a system that implements them. (The virus also attempts to obtain system passwords, but this is not the part of the virus that is causing damage -- nobody has been affected by the virus obtaining passwords.)
Most of the MS bashing here is grounded in imaginary security holes. I'm not a great MS fan, and I hate Win98 as much as anyone, but if you want to criticize them, don't lie. What's being said here is worse than the stuff that Microsoft says about Linux -- at least that stuff is based at some point on facts or semi-facts.
I don't know what you saw happen, but it wasn't that.
.pl Perl script.
Outlook (when I say Outlook, I'm referring to Outlook Express 5.0, the most commonly used version and the one I have experience with) does not run this virus automatically. It cannot be made to run this virus automatically.
It DOES run embedded scripts by default, but so does any modern graphical web browser. Outlook runs embedded scripts in a secure sandbox -- they are NOT allowed to read/write files, send e-mail, etc. The ILOVEYOU virus is not an embedded script, it's an external script, analogous to a
So, to repeat again: it is NOT RUN AUTOMATICALLY. As someone said above, the only common e-mail client that can be configured to auto-execute system scripts is GNU Emacs.
This is not trolling -- this is the complete truth. And, by the way, how did a short message with no facts that was completely incorrect get moderated to +5? People really do hear what they want to hear.
No, it doesn't erase files without prompting from Outlook. I haven't looked at the virus' code, but I would guess that this is what happened to you:
- You clicked on it in Eudora. This runs it.
- The script executed.
- One of the things the script does is to read your Outlook address book and to send e-mail via Outlook. In order to do this, it makes sure that Outlook is open.
- Even though you closed Outlook, the script wasn't running via Outlook, and so continued to run.
.vbs files, like this, don't run via Outlook, they run via the Windows Scripting Host. Outlook only opened because the script opened it.
VBS is not included in Outlook -- it is a system scripting language. The closest thing to it in the unix world is Perl. Perl can directly modify files on the hard drive, and it wouldn't be too difficult to write a Perl script to get someone's e-mail address book (for a particular e-mail client).
So is Perl a large security hole?
Yes, and these reports are FALSE! The attachment does not run itself automatically, no matter what your setup. IT DOES NOT RUN AUTOMATICALLY. USERS HAVE TO OPEN IT. Do I need to say this 10,000 more times?
Except for the fact that it DOES warn users explicitly that it's dangerous.
How about you show me a Windows client that does this first? Outlook sure doesn't.
.vbs extension.
1) It does not say "this is a text file". It displays it with the "script file" icon, not the "text file" icon, and unless you have the display extensions setting off, shows you the
2) Once you click on it, it pops up a warning that says "this file may contain a virus"! If you then manually select the "Yes, run it" option (the default is to save to disk), then yes, it will run it, but the user is given large amounts of warning first.
Considering that a battery of highly trained, ravenous lawyers looks over every legal document that Microsoft produces, I'd guess the GPL. Actually, I'd say neither, but I wasn't given that choice.
No you can't -- unless given permission to distribute something, copyright does not allow you to distribute it, incorporate it into another program, whatever. You can't take a .dll (dynamic library) from a commercial Windows program, include it in your program, and then distribute that program.
Actually, no. Nobody said that. The post you're replying to accused you of being a kook not for recycling and/or driving a small car, but for taking the dictatorial, absolute position that your ideology is Right and that everyone else is Wrong. Your post was an angry rebuttal to an argument that was never put forward.
I am not a fan of corporate advertising and the culture that goes along with it.
So?
It is difficult for anyone to say that they oppose freedom, that they are for a homegenous, restrictive society. But the weak link here is what's linking freedom to free software.
Or, to be more specific: exactly HOW does not allowing others to profit from the software that I have spent months writing lead to the world not being able to choose between smooth and extra-crunchy?
These days, almost everything is being defended with passionate calls to freedom, democracy, rights, and so on. This is because no one can disagree with it; it's the old "Do you enjoy killing small, vulnerable babies? Well then, you obviously must be a member of the Church of Eckankar!" trick.
Saying "Well, if freedom's crazy, then I guess I'm a nutcase!" is empty Hollywoodish rhetoric. Nobody is chanting "Down with freedom!" in the streets. If you want to make a good argument, tell us in excruciating detail exactly HOW our freedom is being destroyed.
Until then, I will not consider the release of binaries equivalent to killing small, and surprisingly cute, babies. And, though I don't want a global corporate police state, nobody has yet given me a good reason why not waving pages of source code in the streets will cause this.
America is historically the most generous country in the world? Out of interest, where the hell are you getting your information?
The United States' per-capita foreign aid is extremely low, lower than just about every Western European country. (At least, according to the numbers I have from 1994.)
I'm not a rabid America-basher, but foreign aid is certainly not one of America's specialties.
With MS Word 2000: Alt-O, N, 7, Enter. That's one less button than your example. I'm not a Microsoft zealot, but Word has quite a nice UI.
Other people can downloaded MP3s from directories you've opened to Napster, yes, but you're in no way forced to use Napster or to put copyrighted files in your download directories. You are running a server which allows other people to download these files -- you're making them available.
Analogy: you have marijuana used for medical purposes. (This is the best example I could come up with of something that's legal for you to have but illegal for others.) If someone sneaks into your house and steals some, you've done nothing illegal. If, however, you keep it in a large bowl in front of your house beneath a sign that says "Take Some", then that is illegal.
So if someone accesses your MP3s via a security hole in your FTP client, you're fine, as you weren't deliberately making those available. If, however, you run a server which is designed to allow people to download MP3s from you, and you have the ability to not allow people to download your copyrighted MP3s but don't do so, then you're not find, as you are deliberately distributing something illegal.
When I said "yogic bouncing", that was a mistake: it's yogic flying. Read all about it.
I didn't think it was unlikely -- it was a (slightly exxagerated) real example. In Canada, they're the Natural Law Party, and I think they're a branch of some international group.
They had some (unintentionally) very funny TV commercials during the last election here.
There's a pretty large difference between not finding something and having it forcibly blocked from you. Because this article was about politics, I'll use that as an example: if you start a new political party which has, as a platform, curing society via yogic bouncing, it's not going to get much coverage in large newspapers. Nobody would expect it to. But, provided that it meets the requirements for entering candidates, it's not going to be banned based on its views.
True, 99% of the population will never hear of this party. Does that mean that it should be banned? Certainly not. Anyway, in this case, we're not even dealing with missing small, insignificant sites: we're dealing with missing the Democratic Party.
This is nothing new.
I doubt that there really IS a conservative bias -- I think it's just one more symptom of the incompleteness and idiocy of filtering lists. In fact, to support its point, CNET brings up such examples as AOL filtering out that great bastion of liberalism, Ross Perot's Reform Party.
Any list which attempts to include every site on the Internet that's safe for children will necessarily miss huge numbers of sites. In this case, CNET (The Home Of Accurate, Unbiased Reporting TM) has taken some selective examples of blocked sites and attempted to have those indicate some kind of political agenda.
They've also tried to find some other examples of problems with AOL's system, like the browser keeping a cache of visited sites. (They do admit that it can be turned off by "sophisticated, advanced" users.) Wow! A cache! What a concept! Admittedly, clicking Back then Forward to allow access to sites in the cache is a bit stupid, but still, IE (which AOL uses) allows you to view cached sites very easily. And then they bring in the gaping hole of a history file stored in PLAIN TEXT. Obviously, this is something that every modern browser does. And by the way, CNET considers viewing the contents of a text file stuck in a program directory "child's play", but turning off or viewing a disk cache is "advanced" and "sophisticated".
Don't you love clear, objective, unbiased reporting? What's worse is that AOL's filters are inherently stupid -- a blacklist will always allow access to tons of sites it shouldn't, and a whitelist will always block access to tons of sites it shouldn't. Focus on the basic problems with the concept, not some made-up and easily-fixed surface mistakes: that's the only way to actually fight these things.
If man is inherently good...
If man is inherently evil...
Hmm... how about none of the above? There is no such thing as "man", a creature which always has the same characteristics. Some people are good. Some people are greedy. Some people are evil. Some people are good, but for some unfathomable reason like mayonnaise.
Humans are not identical. Not everyone can regulate their own activities. Some can be trusted in positions of power. Anarchy might work with robots; it doesn't work with humans.